A Simple Single Sign-On Scenario

In a single sign-on scenario, a user logs in to access a protected
resource. Once the user has successfully authenticated to OpenSSO Enterprise, a
user session is created and stored in OpenSSO Enterprise memory. The user uses
browser cookies or URL query parameters to carry a session identifier.
Each time the user requests access to another protected resource,
the new application must verify the user's identity. It does not ask
the user to present credentials. Instead, the application uses the
session identifier and the Session Service interfaces to retrieve
the user's session information from OpenSSO Enterprise. If it is determined from
the session information that the user has already been authenticated
and the session is still valid, the new application allows the user
access to its data and operations. If the user is not authenticated,
or if the session is no longer valid, the requested application prompts
the user to present credentials a second time. Until logging out,
this scenario is played out every time the user accesses a protected
resource in the single sign-on environment. For more detailed information
about user sessions and single sign-on, see Chapter 6, Models of the User Session and Single Sign-On Processes, in Sun OpenSSO Enterprise 8.0 Technical Overview.